I have a saved search which I would like to pass a
_index_earliest=XXX parameter to. I am trying to make a search that will give information based on a specified time that can be configured by calling the saved search and then entering the specified time. For example, the call might look something like
| savedsearch saved_search_name _index_earliest=xxx. I am aware that you can do this with host, but I am having trouble trying to do this with a time. I would be joining this search with another search that uses a different time, which is why I simply can't use the time set options provided in the drop-down.
This is common, you just user
earliest like this:
earliest=xxx latest=now() your search text
You can chain it like this:
outer search stuff with time set by timepicker | stats latest(_time) AS earliestTime | map search="earliest=$earliestTime$ latest=now() search inner search stuff"
By what method are you getting input from users? If I understand you correctly now, you would not use a saved search, you would use a
macro (with the guts from your saved search) and then use the
Okay, so by that do you mean that the guts from my savesearch will be stored in a macro, and the earliest field will be left as "earliest=$earliest$" and so before anytime the user runs the query they would have to put in that date?
I orgianlly invisoned it being as simple as "| savedsearch savedsearchname host=$host$ (but instead of host earliest would be there). Then a user could just enter in the date without seeing all the inner workings of the query
You can pass parameters into saved searches from a dashboard... just not directly.
searchString using this:
| savedsearch Perfmon_Processor_ProcessorTime_Total host=$host$
If you want to use
earliest, then you need to pass it as arguments to the
| savedsearch command, within the search string, e.g.,
| savedsearch earliest=-24h@h.
Hope that helps ...